Microsoft Starts Blocking Websites with SHA-1 Certificates in Edge, IE Browsers

[CrAKeN]

 

The warning users will see when loading an SHA-1 website

 

Microsoft has completed the deprecation of SHA-1 certificates with the May 2017 security updates, so websites that are using it are now blocked in Microsoft Edge and Internet Explorer.

 

Split into three different phases, the SHA-1 deprecation is a security measure that all major browser developers have agreed with, including Microsoft, Google, and Mozilla, with Redmond now applying the changes to its new Windows 10 browser as well.

 

Users trying to load a website that uses an SHA-1 certificate will see a warning telling them “there’s a problem with this website’s security certificate” and “this might mean that someone’s trying to fool you or steal any info you send to the server.” Microsoft recommends users to “close this site immediately,” but provides them with two options, one of which is to continue to the webpage.

 

Also blocked in Firefox and Chrome

“We intend to do more to warn consumers about the risk of downloading software that is signed using an SHA-1 certificate. Our goal is to develop a common, OS-level experience that all applications can use to warn users about weak cryptography like SHA-1. Long-term, Microsoft intends to distrust SHA-1 throughout Windows in all contexts. Microsoft is closely monitoring the latest research on the feasibility of SHA-1 attacks and will use this to determine complete deprecation timelines,” Microsoft explains.

 

The SHA-1 deprecation is taking place on all Windows versions that are still supported in May 2017, so while Edge is only available in Windows 10, Internet Explorer is introducing this change on Windows 7, 8.1, and 10.

 

Microsoft explains that enterprise and self-signed SHA-1 certificates are not affected by this security update, though the company recommends everyone to switch to SHA-2 as soon as possible.

 

Seeing Microsoft finally banning SHA-1 is not such a big surprise, as this hashing function has been around since 1995, with a growing number of attacks recorded in the last decade. Companies and organizations alike have blocked the use of SHA-1 certifications, including US federal agencies which are no longer allowed to use it since 2010.

 

Source